Few expected to make June 30 PCI deadline for Web application security

Many firms just now shaking off the mental cobwebs

Retailers covered by the Payment Card Industry Data Security Standard (PCI-DSS) have just about a month and a half left to comply with new requirements for protecting Web applications. But as with previous PCI-related deadlines, this one appears destined to pass with a majority of merchants unlikely to be in full compliance.

After June 30, all merchants accepting payment card transactions will be expected to either use a specialized firewall for protecting their Web applications or to have completed a Web application software code review for finding and fixing vulnerabilities in these applications. Companies that fail to implement either measure will be deemed to be out of compliance with PCI starting June 30.

"Most of our clients are not going to be ready," by that deadline, said Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc. "We are amazed at how many companies are still only learning their way around the requirements" and what they call for, Litan said.

With the deadline fast approaching, though, Gartner has seen an uptick in the number of calls it is receiving from clients wanting to know more about the new controls and how to implement them, she added.

Section 6.6 of the new PCI requirements (download PDF) basically requires merchants to ensure that all Web-facing applications are protected against known attacks by applying either an application firewall or by completing an application code review -- either manually or by using application-scanning tools. The requirements have been recommended best practice for more than 18 months but are now becoming a formal mandate.

According to Litan, many of Gartner's clients are choosing to deploy Web application firewalls instead of going the code review route. "They are looking for quick fixes. Application firewalls are quick fixes" compared to finding and fixing flaws in application software, she said. However, such firewalls alone are not enough in the long run, she added: "Application firewalls are a reactive measure. You have a lot of vulnerable applications that still need to be fixed." As a result, companies that want to really secure their Web application environments will need to think beyond PCI compliance. Scanning for and fixing vulnerabilities in Web applications "should be given priority over the use of Web application firewalls, which should be used in addition to, not instead of," code reviews, she said.

Under 6.6, companies that choose to implement application firewalls need to ensure that the technology is deployed in full blocking mode, said Jeremiah Grossman, chief technology officer and founder of WhiteHat Security Inc. Doing that effectively requires merchants to invest a substantial amount of time tweaking their firewalls to ensure that only malicious content is blocked, while letting legitimate traffic in. There is a learning process involved in doing this that can take anywhere from three to six months -- which, he noted, many companies may not be aware of or budgeting for.

There may be a similar disconnect over what the code-review component really means, Grossman said. Companies that choose to do a code review will need to make sure that that they are not just identifying the vulnerabilities in their software but are actually going out and fixing them, which can be a time-consuming process, he said. There is also still some confusion over who exactly is qualified to be doing such reviews, Grossman said. Right now, PCI rules allow for either manual or automated code reviews performed by qualified third parties or by qualified internal resources. The problem is that without any formal certifications or other measures available currently, it's hard to say who exactly might be qualified to assess the security of Web applications internally, he said.

Whichever route a company might choose, Grossman noted, what's important to note is that neither firewalls nor code reviews by themselves are enough. "Vulnerability assessment, should always been seen as complementary to Web application firewalls," he said. "Vulnerability assessments overall are a measurement, while Web application firewalls are defensive technology. ... In the next two to three years, Web application security [assessments] and firewalls will be ubiquitous. The question is which will companies tend to adopt first."

In response to a request for comment, a spokesman for the PCI Security Standards Council, which administers the standard, pointed to a recently issued update (download PDF) aimed at clarifying what exactly the code review and firewall requirements are.

"Most of the feedback we have heard is from merchants who have waited to implement a solution until now or procrastinated on implementation. We haven't heard anyone say this is something we ought not to be requiring," the spokesman said in an e-mailed statement.

The new PCI deadline looms even as some have begun questioning the effectiveness of the standard in helping companies to better secure payment card data. The questions first surfaced after supermarket chain Hannaford Bros. Co. revealed in March that it had been breached even though it had been PCI compliant at the time of the breach. Since then, analysts and others close to the effort have begun to publicly air doubts about whether the standard needs to be tweaked to ensure better payment card security.

In a recent interview with Computerworld, Bob Russo, general manager of the security council, downplayed such concerns and noted that the standard is solid despite those doubts. He added that the body is waiting to get details on the Hannaford breach to know if changes to the standard need to be made. He also pointed out that a new version of the standard will be released later this year aimed at addressing new and emerging threats to cardholder data.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon